CVE-2026-32974: OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured
(updated )
Feishu webhook mode allowed deployments that configured only verificationToken without encryptKey. In that state, forged inbound events could be accepted because the weaker configuration did not provide the required cryptographic verification boundary.
References
- github.com/advisories/GHSA-g353-mgv3-8pcj
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/7844bc89a1612800810617c823eb0c76ef945804
- github.com/openclaw/openclaw/pull/44087
- github.com/openclaw/openclaw/releases/tag/v2026.3.12
- github.com/openclaw/openclaw/security/advisories/GHSA-g353-mgv3-8pcj
- nvd.nist.gov/vuln/detail/CVE-2026-32974
- www.vulncheck.com/advisories/openclaw-forged-event-injection-via-feishu-webhook-verification-token
Code Behaviors & Features
Detect and mitigate CVE-2026-32974 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →